CVE-2017-18878
Mattermost Server allows users with a session ID to revoke another users' session in github.com/mattermost/mattermost-server
Description
Mattermost Server allows users with a session ID to revoke another users' session in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server before v4.1.2-0.20171004201910-6be8113eb60c, before v4.2.1-0.20171004192657-8fbbd688ea24.
How to fix CVE-2017-18878
To remediate CVE-2017-18878, upgrade the affected package to a fixed version below.
- —upgrade to 4.1.2-0.20171004201910-6be8113eb60c or later
- —upgrade to 4.3.0+incompatible or later
Is CVE-2017-18878 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 4.1.2-0.20171004201910-6be8113eb60c
- >= 4.3.0-rc1+incompatible, < 4.3.0+incompatible
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |